Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix authentication mass assignment vulnerability (#14468)
Users were able to submit changes to fields they should not have access to change by bypassing the frontend validation.  Correct backend validation to prevent that.
  • Loading branch information
murrant committed Oct 17, 2022
1 parent abf00ea commit 09a2977
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 2 deletions.
2 changes: 1 addition & 1 deletion app/Http/Controllers/UserController.php
Expand Up @@ -180,7 +180,7 @@ public function update(UpdateUserRequest $request, User $user, FlasherInterface
}
}

$user->fill($request->all());
$user->fill($request->validated());

if ($request->has('dashboard') && $this->updateDashboard($user, $request->get('dashboard'))) {
$flasher->addSuccess(__('Updated dashboard for :username', ['username' => $user->username]));
Expand Down
15 changes: 14 additions & 1 deletion app/Http/Requests/UpdateUserRequest.php
Expand Up @@ -37,11 +37,24 @@ public function authorize()
*/
public function rules()
{
if ($this->user()->isAdmin()) {
return [
'realname' => 'nullable|max:64|alpha_space',
'email' => 'nullable|email|max:64',
'descr' => 'nullable|max:30|alpha_space',
'new_password' => 'nullable|confirmed|min:' . Config::get('password.min_length', 8),
'new_password_confirmation' => 'nullable|same:new_password',
'dashboard' => 'int',
'level' => 'int',
'enabled' => 'nullable',
'can_modify_passwd' => 'nullable',
];
}

return [
'realname' => 'nullable|max:64|alpha_space',
'email' => 'nullable|email|max:64',
'descr' => 'nullable|max:30|alpha_space',
'level' => 'int',
'old_password' => 'nullable|string',
'new_password' => 'nullable|confirmed|min:' . Config::get('password.min_length', 8),
'new_password_confirmation' => 'nullable|same:new_password',
Expand Down

0 comments on commit 09a2977

Please sign in to comment.